<?php
	//session_start();
	if((!isset($_SESSION['hallpass']))||($_SESSION['hallpass']==false))
	{
		$_SESSION['error'] = "not_auth";
		header('Location: error_page.php');
	}
		
		

		/**
		 * 
		 * encrypt_me can encrypt your password for safe db storage or for other uses
		 * the password will return in an array with refence 'password', salting with reference 'salt'
		 * if $rand equels 1 then a random password will be generated
		 * @param $password - the password to encrypt
		 * @param $encryption_tech - options: "crypt", "md5", "hash"
		 * @param $rand - if rand = 1 then a random password will be generated with md5
		 */

	function encrypt_me($password,$encryption_tech,$rand)
	{
		$data_arr;
		
		if($rand==1)
		{
			$data_arr['password'] = md5(uniqid(rand(), true));
			return $data_arr;
		}
		$data_arr['salt'] = createSalt();
		
		switch ($encryption_tech)
		{
			case "md5":
			{
				return $data_arr['password'] = md5($password, $data_arr['salt']);
				break;
			}
			case "crypt":
			{
				return $data_arr['password'] = crypt($password, $data_arr['salt']);
				break;
			}
			case "hash":
			{
				return $data_arr['password'] = hash($password, $data_arr['salt']);
				break;		
			}
			default:
				{
					
					break;
				}
		}
	}
	
	/**
	 * create a random salt
	 */
	function createSalt()
	{
	    $string = uniqid(rand(0,100), true);
	    return substr($string, 0, 3);
	}
	
	/**
	 * function prevent forn spoofing.
	 * function generates a random code called a secret and plant it in the $_SESSION global variable
	 * the function also return the secret so the form writer can send the secret to later authentication
	 */
	function spoof_prevention()
	{
		//$secret = encrypt_me(0,0,1);
		$secret = md5(uniqid(rand()), false);
		$_SESSION['secret'] = $secret;
		//$_SESSION['secret'] = $secret['password'];
		
		//return $secret['password'];
		return $secret;
	}
	
	/**
	 * function prevents session hijacking.
	 * it plant a key in the global variable $_SESSION and in a cookie
	 * for validation there is a need to check if the key in both the SESSION and in the cookie
	 * are identical
	 */
	function session_hijacking_prevention()
	{
		$key = encrypt_me(0,0,1);
		setcookie('wt_cake', $key['password'], time() + 60+30);// create a cookie with a secret to prevent session hijacking
		$_SESSION['hijack'] = $key['password']; //used for session hijacking protection
	}
	
	
	/**
	 * is_spoofing - checks if a form spoofing is taking place
	 * if we were attacked by form spoofing the user will be redirected to the form we created
	 * @param $str - string to redirect to the approved form we created
	 */
	function is_spoofing($str)
	{
		$valid = false;
		
		
		if((isset($_SESSION['secret']))&&(isset($_POST['secret'])))
		{
			if($_SESSION['secret']==$_POST['secret'])
			{
				$valid = true;
				$_SESSION['spoof_status'] = 0;
				echo $valid;
				echo "<br>";
				echo "it is OK";
				echo "<br>";
			}	
			else
			{
				$valid = false;
				$_SESSION['spoof_status'] = -1;
				echo $valid;
				echo "<br>";
				$valid = false;
				echo "POST does not equel SESSION";
			}	
		}
		else
		{
			$valid = false;
			$_SESSION['spoof_status'] = -1;
			echo $valid;
			echo "<br>";
			echo "Session or POST does not exist";
			echo "<br>";
		}
			
			
	/*	
		if(!isset($_SESSION['secret'])||(!isset($_POST['secret'])))
		{
			$valid = false;
			echo "Session or POST does not exist";
			echo "<br>";
		}
		else if($_POST['secret']!=$_SESSION['secret'])
		{
			$valid = false;
			echo "POST does not equel SESSION";
			echo "<br>";
		}
		else
		{
			$valid = true;
			echo "it is OK";
			echo "<br>";
		}	
		*/
			
		if($valid==false)
		{
			switch($str)
			{
				case "login":
					header('Location: login_form.php');
					break;
				case "register":
					header('Location: register_form.php');
					break;
				case "search":
					header('Location: search');
					break;
				default:
					break;
			}
		}
		/*else if($valid==true)
			header('Location: resworker.html');*/
	}
?>